: Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
Focus
Focus

Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)

Table of Contents

Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)

This use case allows you to use data from AutoFocus threat intelligence to create an external dynamic list for your firewall.
Use the AutoFocus API to export AutoFocus artifacts (IP addresses, domains, or URLs) as an export list that you can host on a web server. Learn more about AutoFocus in AutoFocus documentation. Then use the PAN-OS XML API to add this URL as an external dynamic list to enforce policy dynamically on the firewall. Learn more about how to use an external dynamic list in policy.
To use AutoFocus, you must first register and activate AutoFocus.
  1. Build an AutoFocus export list. For example, if you want to block potential attacks from the Sofacy group, search for Sofacy as the Tag, and then add the appropriate artifacts shown within the File Analysis tab, such as DNS Activity, HTTP Requests, and Connection Activity.
    Use the AutoFocus API to export the AutoFocus artifacts. Include you the AutoFocus API key, the label of the export list, and specify that the list should be formatted for a PAN-OS block list. ("panosFormatted":true): curl -X POST -H "Content-Type: application/json" -d '{ "apiKey": "<apikey>", "label": "<export-list-name>", "panosFormatted": true }' "https://autofocus.paloaltonetworks.com/api/v1.0/export"
    The response contains a list of IP addresses, domains, or URLs, depending on the artifacts you save:
    { "bucket_info": { "daily_points": 10.2, "minute_points": 200 }, "export_list": [ "176.31.112.10", "31.220.43.99", "40.76.58.209", "62.113.232.196", "95.215.47.207" ] }
  2. Host the export list as a text file on an external web server. To ensure that you have the latest list of artifacts, frequently refresh the hosted list.
  3. Add the URL for the export list to an external dynamic list. In this example the external dynamic list uses IP addresses:
    curl -X POST 'https://firewall/api?type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/external-list/entry[@name='export-list-name']/type/ip&element=<url><edl-list-url></url><recurring><five-minute/></recurring>&key=<apikey>"
  4. Add the external dynamic list as match criteria in a security policy rule. In this example, the rule denies access to IP addresses on the external dynamic list for all users on your network:
    curl -X POST 'https://firewall/api?type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='<security-policy-rulename>']@element=<to><member>any</member></to><from><member>any</member></from><source>any</source><destination><member><edl-list-name></member></destination><source-user><member>any</member></source-user><service><member>application-default</member></service><action>deny</action>&key=<apikey>"
  5. Commit the changes to the firewall:
    curl -X POST 'https://firewall/api?type=commit&cmd=<commit></commit>&key=<apikey>"
    You must commit only once when you add the reference to the EDL in a policy rule. Any changes to the external dynamic list do not require a commit.